CVE-2019-13177

CVE-2019-13177 is a critical-severity security vulnerability in django-rest-registration (pip), affecting versions >= 0.2.0, < 0.5.0. It is fixed in 0.5.0.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Improper Verification of Cryptographic Signature in django-rest-registration

Misusing the Django Signer API leads to predictable signatures used in verification emails

Workarounds

The easiest way way is to disable the verification options by using something like the minimal configuration described here. This will unfortunately disable checking whether the given e-mail is valid and make unable to users who registered an account but didn't verify it before config change.

Less harsh way is to temporarily disable just the the reset password functionality:

REST_REGISTRATION = {
    # ...
    'RESET_PASSWORD_VERIFICATION_ENABLED': False,
    # ...
}

Which should disallow the worst case, which is account takeover by an attacker. The attacker can still use the register-email endpoint to change the email to its own (but it is less critical than resetting the password in this case).

If one already set 'RESET_PASSWORD_VERIFICATION_ONE_TIME_USE' setting key to True in REST_REGISTRATION Django setting (which is not the default setting) then it should mitigate the security issue in case of password reset (in this case, the signature is much harder to guess by the attacker). But even in this case upgrade to newest version is highly recommended.

Technical description

After the code was refactored to use the official Signer class the salt
was passed wrongly as secret key, replacing the SECRET_KEY set in
Django settings file. This leads to the Django SECRET_KEY not being used by the signer object. The secret key of the signer ends to be the salt which in most cases is a static string which is publicly available.

In consequence this allows, with verification enabled, to guess
the signature contained in the verification link (which is sent in a verification e-mail) by a potential attacker very easily.

The bug went unnoticed for very long time so multiple versions are affected:
this bug affects versions 0.2.*, 0.3.*, 0.4.*; version 0.1.* is not affected.

Recently released version 0.5.0 contains the fix which correctly passes the salt to the Signer constructor as keyword argument instead as a positonal argument. It also contains additonal test so this problem should not reappear in the future.

Thanks

I'd like to thank @peterthomassen from https://desec.io DNS security project for finding the bug. I'd like also to thank his employer, SSE (https://www.securesystems.de) for funding his work.

For more information

If you have any questions or comments about this advisory:

Impact

The vulnerability is a high severity one. Anyone using Django REST Registration library versions 0.2.* - 0.4.* with e-mail verification option (which is recommended, but needs additional configuration) is affected.
In the worst case, the attacker can take over any Django user by resetting his/her password without even receiving the reset password verification link, just by guessing the signature from publicly available data (more detailed description below).

CVE-2019-13177 has a CVSS score of 9.8 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.5.0); upgrading removes the vulnerable code path.

Affected versions

django-rest-registration (>= 0.2.0, < 0.5.0)

Security releases

django-rest-registration → 0.5.0 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

The problem has been patched in version 0.5.0. All library users should upgrade to version 0.5.0 or higher.
The fix will invalidate all previously generated signatures , and in consequence, all verification links in previously sent verification e-mails. Therefore semi-major version 0.5.0 was released instead of version 0.4.6 to mark that incompatibility.

Frequently Asked Questions

  1. What is CVE-2019-13177? CVE-2019-13177 is a critical-severity security vulnerability in django-rest-registration (pip), affecting versions >= 0.2.0, < 0.5.0. It is fixed in 0.5.0.
  2. How severe is CVE-2019-13177? CVE-2019-13177 has a CVSS score of 9.8 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of django-rest-registration are affected by CVE-2019-13177? django-rest-registration (pip) versions >= 0.2.0, < 0.5.0 is affected.
  4. Is there a fix for CVE-2019-13177? Yes. CVE-2019-13177 is fixed in 0.5.0. Upgrade to this version or later.
  5. Is CVE-2019-13177 exploitable, and should I be worried? Whether CVE-2019-13177 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2019-13177 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2019-13177? Upgrade django-rest-registration to 0.5.0 or later.

Stop the waste.
Protect your environment with Kodem.